M_Embed Cyber Essentials in your supply chain

Cyber security assurance in the supply chain

Your organisation will invariably rely upon suppliers to deliver products, systems, and services that will interact with your IT network and company data. These suppliers, in turn, will rely on a network of their own suppliers, and so on. In this way, a connected web of interdependency across numerous organisations is established, each layer introducing new risks to every organisation within that supply chain.

It's important to consider that a security gap in the systems of a third party somewhere in the supply chain may undermine your cyber security, no matter how good it is. 

In recent years, there has been a significant increase in cyber attacks, resulting from vulnerabilities within supply chains, including some high-profile incidents. In June 2024, the attack on Synnovis, a supplier to the NHS affected many of the NHS services.

Despite this, only 11% of businesses have assessed the cyber security of their immediate suppliers, with the remaining 89% who struggle to do this effectively, making themselves vulnerable to attack. This figure reflects how challenging it can be to assess supplier’s cyber security.

Cyber Essentials as a supply chain tool

Cyber Essentials was introduced by the UK Government in 2014 as a way for organisations of all sizes to effectively address their cyber security. The annually renewable certification scheme is centred around five technical controls that, if implemented correctly, will protect any organisation from the majority of common internet-based cyber attacks including ransomware. According to insurance data, organisations that have a current Cyber Essentials certification are 92% less likely to make a cyber insurance claim that one without.

Cyber Essentials certification provides a tangible way for organisations to gain confidence that their suppliers, or other third parties, have effectively implemented fundamental technical controls.

Accessible and affordable for all

Cyber Essentials is designed to be suitable for organisations of all sizes. 35% of Cyber Essentials certified organisations and 32% of those with Cyber Essentials Plus are micro-organisations (have less than 10 employees).

Though there is a cost attached to achieving Cyber Essentials, it is comparatively inexpensive. The cost of the certificate is £320-600 +VAT for basic Cyber Essentials, depending on the size of your organisation and the approximate cost of Cyber Essentials Plus will be from £2-3k, depending on the size and complexity of your network. Other certification schemes are significantly more costly, thus making them unattainable for many organisations. The remedial work needed to put in place the Cyber Essentials controls will vary between organisations. However, if an organisation needs to be cyber resilient, this is a necessary cost to implementing fundamental security controls that all organisations should really have in place.

Proven to make certified organisations more secure

Most importantly, we know that the scheme works. Organisations who require their suppliers or other third parties to have Cyber Essentials are proven to reduce the number of cyber incidents across their network.

One of the UK’s largest pensions & life companies, St. James’s Place asked its partnership network of over 2,800 independent businesses to certify to Cyber Essentials Plus.

“In such a large supply chain, this had its challenges, but the decision is already showing a positive impact. Security incident numbers have significantly reduced… we have seen around 80% reduction in cyber security incidents, which directly correlates to controls and best practice implemented through Cyber Essentials.”

Matthew Smith, Divisional Director of Cyber Security, St. James’s Place.

Benefits of using Cyber Essentials as a supply chain tool

Confidence that a supplier has technical controls in place

A Cyber Essentials certificate demonstrates that a supplier has technical controls in place to protect them from common attacks; other standards or certifications do not necessarily provide this specific assurance.

Affordable and achievable for all organisations

Cyber Essentials certification is comparatively inexpensive. Other certification schemes are significantly more costly, thus making them unattainable for many organisations.

Consolidating the lengthy security review process

Requiring evidence of standardised minimum expectations reduces the time spent assessing suppliers. It is also helpful for the suppliers themselves, who benefit from clear, tangible expectations rather than responding to long and complex or duplicate questionnaires.

A dependable tool for global supply chains

Any organisation from any geography can get Cyber Essentials, making it a useful tool in gaining confidence in the cyber security of global suppliers.

Verify Cyber Essentials certifications across your supply chain

The Cyber Essentials Supplier Check Tool allows organisations to drop a large list of suppliers into a bespoke search function and find out which suppliers are certified to either Cyber Essentials or Cyber Essentials Plus.

As cyber threats continue to evolve, Cyber Essentials certification is an indispensable tool for ensuring a minimum standard of cyber security throughout the supply chain. It provides a standardised, affordable, and effective means of assessing and improving the cyber resilience of suppliers, both domestically and globally and can be strategically integrated into the supply chain risk management process.